To reproduce my results you should know how to establish GPRS connection from you PC and know MMS profile settings: APN, proxy, MMSC url.

MMS message usually is a file which consists of MMS headers and body. Body contains media content which is described by SMIL (Synchronized Multimedia Integration Language). All parts of message are encapsulated using MMS encapsulation protocol. The easies way I've found to create an MMS is using mmscomp utility from NowSMS gateway. Create a headers file:

#cat 1.header
X-Mms-Message-Type: m-send-req
To: +380501111111/TYPE=PLMN
From: 617764631
X-Mms-Transaction-Id: 35345345
X-Mms-Version: 1.0
Subject: test

From and X-Mms-Transaction-Id headers are just random numbers, I have not checked if they're mandatory.

Create a smil file which will contain a multimedia definitions. SMIL is a rich format which supports animation and sound.
However for test purposes simple file is enough:
#cat 1.smil
<smil>
<body>
<text src="1.txt"></text>
</body>
</smil>

#cat 1.txt
test
Compile the file:

C:NowSMSmmscomp 1.header 1.smil

and got 1.mms

00000000 8c 80 98 33 35 33 34 35 33 34 35 00 8d 90 97 2b |...35345345....+|
00000010 33 38 30 35 30 33 31 31 31 31 31 31 2f 54 59 50 |380503111111/TYP|
00000020 45 3d 50 4c 4d 4e 00 89 0b 80 36 31 37 37 36 34 |E=PLMN....617764|
00000030 36 33 31 00 96 74 65 73 74 00 84 1d b3 8a 3c 31 |631..test.....<1|
00000040 2e 73 6d 69 6c 3e 00 89 61 70 70 6c 69 63 61 74 |.smil>..applicat|
00000050 69 6f 6e 2f 73 6d 69 6c 00 02 24 44 61 70 70 6c |ion/smil..$Dappl|
00000060 69 63 61 74 69 6f 6e 2f 73 6d 69 6c 00 c0 22 3c |ication/smil.."<|
00000070 31 2e 73 6d 69 6c 3e 00 8e 31 2e 73 6d 69 6c 00 |1.smil>..1.smil.|
00000080 3c 73 6d 69 6c 3e 0d 0a 20 20 20 3c 62 6f 64 79 |<smil>.. <body|
00000090 3e 0d 0a 20 20 20 20 20 20 3c 74 65 78 74 20 73 |>.. <text s|
000000a0 72 63 3d 22 31 2e 74 78 74 22 3e 3c 2f 74 65 78 |rc="1.txt"></tex|
000000b0 74 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 73 |t>..</body>..</s|
000000c0 6d 69 6c 3e 12 06 83 c0 22 3c 31 2e 74 78 74 3e |mil>...."<1.txt>|
000000d0 00 8e 31 2e 74 78 74 00 74 65 73 74 0d 0a |..1.txt.test..|

Another way to get well formed MMS is to record your mobile phone request. Set APN in mms profile same as in gprs case. Put proxy to your server. There are many ways to record data, but I've used netcat to listen and tcpdump to record. MMS I've extract using dd.

Here is the sample of netcat output:

POST http://mms/ HTTP/1.1
Content-Type: application/vnd.wap.mms-message
x-wap-profile: "http://wap.samsungmobile.com/uaprof/x630_10.xml"
Cookie2: $Version="1"
Content-Length: 556
Proxy-Connection: Keep-Alive
Pragma: no-cache
User-Agent: SEC-SGHX630/1.0 TSS/2.5
Host: mms

<8C><80><98>617764631^@<8D><90><89>^A<81><97>^Y<EA>+380503111111/TYPE=PLMN^@<96>^E<EA>Amg^@<86><81><90><81><84>^_^_<B3><89>application/smil^@<8A><SMIL.TXT>^@^B:^F^T<83><81><EA><85>Txt73F20488.txt^@<C0>"<Txt73F20488.txt>^@<8E>Txt73F20488.txt^@Mjgtmd3<82>YESCapplication/smil^@<85>SMIL.TXT^@<C0>"<SMIL.TXT>^@<8E>SMIL.TXT^@<smil><head><layout><root-layout height="160px" width="128px"/><region id="Top" top="0" left="0" height="50%" width="100%" fit="hidden"/><region id="Bottom" top="50%" left="0" height="50%" width="100%" fit="hidden"/></layout></head><body><par dur="5s"><text src="cid:Txt73F20488.txt" region="Top" begin="0s" end="5s"></text></par></body></smil>

Extracted message by itself:

#hexdump -C samsung.mms
00000000 8c 80 98 36 31 37 37 36 34 36 33 31 00 8d 90 89 |...617764631....|
00000010 01 81 97 19 ea 2b 33 38 30 35 30 33 31 31 31 31 |.....+3805031111|
00000020 31 31 2f 54 59 50 45 3d 50 4c 4d 4e 00 96 05 ea |11/TYPE=PLMN....|
00000030 41 6d 67 00 86 81 90 81 84 1f 1f b3 89 61 70 70 |Amg..........app|
00000040 6c 69 63 61 74 69 6f 6e 2f 73 6d 69 6c 00 8a 3c |lication/smil..<|
00000050 53 4d 49 4c 2e 54 58 54 3e 00 02 3a 06 14 83 81 |SMIL.TXT>..:....|
00000060 ea 85 54 78 74 37 33 46 32 30 34 38 38 2e 74 78 |..Txt73F20488.tx|
00000070 74 00 c0 22 3c 54 78 74 37 33 46 32 30 34 38 38 |t.."<Txt73F20488|
00000080 2e 74 78 74 3e 00 8e 54 78 74 37 33 46 32 30 34 |.txt>..Txt73F204|
00000090 38 38 2e 74 78 74 00 4d 6a 67 74 6d 64 33 82 59 |88.txt.Mjgtmd3.Y|
000000a0 1b 61 70 70 6c 69 63 61 74 69 6f 6e 2f 73 6d 69 |.application/smi|
000000b0 6c 00 85 53 4d 49 4c 2e 54 58 54 00 c0 22 3c 53 |l..SMIL.TXT.."<S|
000000c0 4d 49 4c 2e 54 58 54 3e 00 8e 53 4d 49 4c 2e 54 |MIL.TXT>..SMIL.T|
000000d0 58 54 00 3c 73 6d 69 6c 3e 3c 68 65 61 64 3e 3c |XT.<smil><head><|
000000e0 6c 61 79 6f 75 74 3e 3c 72 6f 6f 74 2d 6c 61 79 |layout><root-lay|
000000f0 6f 75 74 20 68 65 69 67 68 74 3d 22 31 36 30 70 |out height="160p|
00000100 78 22 20 77 69 64 74 68 3d 22 31 32 38 70 78 22 |x" width="128px"|
00000110 2f 3e 3c 72 65 67 69 6f 6e 20 69 64 3d 22 54 6f |/><region id="To|
00000120 70 22 20 74 6f 70 3d 22 30 22 20 20 6c 65 66 74 |p" top="0" left|
00000130 3d 22 30 22 20 68 65 69 67 68 74 3d 22 35 30 25 |="0" height="50%|
00000140 22 20 77 69 64 74 68 3d 22 31 30 30 25 22 20 66 |" width="100%" f|
00000150 69 74 3d 22 68 69 64 64 65 6e 22 2f 3e 3c 72 65 |it="hidden"/><re|
00000160 67 69 6f 6e 20 69 64 3d 22 42 6f 74 74 6f 6d 22 |gion id="Bottom"|
00000170 20 74 6f 70 3d 22 35 30 25 22 20 6c 65 66 74 3d | top="50%" left=|
00000180 22 30 22 20 68 65 69 67 68 74 3d 22 35 30 25 22 |"0" height="50%"|
00000190 20 77 69 64 74 68 3d 22 31 30 30 25 22 20 66 69 | width="100%" fi|
000001a0 74 3d 22 68 69 64 64 65 6e 22 2f 3e 3c 2f 6c 61 |t="hidden"/></la|
000001b0 79 6f 75 74 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 |yout></head><bod|
000001c0 79 3e 3c 70 61 72 20 64 75 72 3d 22 35 73 22 3e |y><par dur="5s">|
000001d0 3c 74 65 78 74 20 73 72 63 3d 22 63 69 64 3a 54 |<text src="cid:T|
000001e0 78 74 37 33 46 32 30 34 38 38 2e 74 78 74 22 20 |xt73F20488.txt" |
000001f0 72 65 67 69 6f 6e 3d 22 54 6f 70 22 20 62 65 67 |region="Top" beg|
00000200 69 6e 3d 22 30 73 22 20 65 6e 64 3d 22 35 73 22 |in="0s" end="5s"|
00000210 3e 3c 2f 74 65 78 74 3e 3c 2f 70 61 72 3e 3c 2f |></text></par></|
00000220 62 6f 64 79 3e 3c 2f 73 6d 69 6c 3e |body></smil>|

In such a way we can easily send MMS by MM1 protocol. Connect to operator's network using gprs with MMS APN. Run the command:

http_proxy=http://oprators_proxy_ip:8080 curl --data-binary @1.mms -H "Content-Type: application/vnd.wap.mms-message" -H "x-wap-profile: "http://wap.samsungmobile.com/uaprof/x630_10.xml"" -H "User-Agent: SEC-SGX630/1.0 TSS/2.5" -H 'Cookie2: $Version="1"' http://mms/

In my case I'm getting responses similar to this one. It seems to be MMS encapsulated data which contains transaction Id.

#hexdump -C mms_response
00000000 8c 81 98 33 35 33 34 35 33 34 35 00 8d 90 92 80 |...35345345.....|
00000010 8b 66 64 68 67 79 33 74 6e 34 73 64 62 32 31 40 |.fdhgy3tn4sdb21@|
00000020 77 2e 69 6e 74 65 72 6d 6d 73 2e 6d 74 73 2e 63 |w.xxxxxxxx.xxx.c|
00000030 6f 6d 2e 75 61 00 |om.ua.|
00000036


There're no CRC checks in message files, so you can modify them as you want with hexeditor, because with some modifications smil file cannot be parsed by compressor. Mentioned above tools are enough to try these attacks on MMS infrastructure using MM1 protocol:

1. Attacking handsets by crafting a malicious MMS. Check this link: http://www.mulliner.org/pocketpc/CollinMulliner_defcon14_pocketpcphones.pdf
2. Attacking SMIL players on PC. http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=547
3. Attacking end-user web interface which displays MMS. For example though XSS.
   
4. Attacking mail infrastructure by SMTP injections.
   

Our article is incomplete in case I do not tell you about MMS notifications. Mobile phone gets MMS notification in SMS which is a WAP push message with
type "application/vnd.wap.mms-message" and MMS encapsulated data. Mostly interesting for us are From:, Subject:, Content-Location. Example of raw SMS:

0051000C918350400448260004A76B0605040B8423F
0010603BEAF848C82987166333138352E312E783232
372E31008D908919802B33383035303331313631373
22F545950453D504C4D4E0096416D67008A808E020
2C888058103093A0B83687474703A2F2F696E746572
6D6D732E6D74732E636F6D2E756100

Where:
00 - default SMSC
51 - submit data with user header
00 - msg reference (do not know what is it )
0C - length of MSISDN
91 - type of MSISDN
835040044826 (380504408462)
00 - protocol identifier (do not know what is it)
04 - data coding Scheme
A7 - validity period (do not know in what time units it is)
6B - user data length. 0x6B=107. The length of the rest is 214 symbols=107 bytes, as they're written in hex

0605040b8423f0 is UDH (user data header). It is usually necessary when you want to send non standard text message.

06 - UDH Length
05 - Address identifier
04 - parameter length
0B84 - receiver port
23F0 - sender port

Then there is a WAP push message:

01 - transaction id
06 - indicates that there is a WAP PUSH message
03 - header length
BE - content type Application/vnd.wap.mms-message
AF84 - X-WAP-Application-Id = "x-wap-application:mms.ua"
8C82 - message type (mm-notification)
987166333138352E312E783232372E3100 - transaction id (null terminated string) qf3185.1.x227.1
8D90 - MMS version
8919802B3338303530333131363137322F545950453D504C4D4E00 - from (+380503116172@TYPE=PLMN)
96416D6700 - Subject: Amg
8A80 - Message Class: Personnel
8E0202C8 - Message Length: 2*256+16*12+8=712 bytes
88058103093A0B - do not know how to get 86400 from this field.
83687474703A2F2F696E7465726D6D732E6D74732E636F6D2E756100 - content location (http://hidefromlammers)

How did I get this description:

• http://www.isms.ru/faq.shtml?nameact=view&level=2&id=8&id2=764&str=1
• http://discussion.forum.nokia.com/forum/showthread.php?t=11324
• http://www.openmobilealliance.org/tech/affiliates/wap/wap-209-mmsencapsulation-20020105-a.pdf

I do not know if all fields described correctly. MMS headers have simple structure: HEADER_CODE|HEADER_VALUE. Headers' codes are 0x83 - Content-location,
0x96 - message type, and so on. In WAP-209 document all headers codes are on page 28 (Table 8). You should add 0x80 to each code to get the correct value
for MMS encapsulated message. Each header value has its own data type, for From and Content-Location it is a null terminated string. The vaules of string are just converted to hex values of symbols. For example 'http://' is 746870742F3A0A2F.

#echo 'http://' |hexdump
0000000 7468 7074 2f3a 0a2f

The easies way for me to send MMS notification is utilizing Kannel. In next article hope I'll describe how to setup it.

#lynx -dump
'http://localhost:13013/cgi-bin/sendsms?_dummy=x&username=test&password=test&text=%01%06%03%BE%AF%84%8C%82%98qf3185.1.x227.1%00%8D%90%89%19%80%2B380503116172%2FTYPE%3DPLMN%00%96Amg%00%8A%80%8E%02%02%C8%88%05%81%03%09%3A%0B%83http%3A%2F%2Fxxxxxxxxx%00&to=%2B380504408462&udh=%06%05%04%0B%84%23%F0'

In kannel's bearer.log you can get AT commands to send raw SMS through GRPS modem:

AT+CMGS=121
0051000C918350400448260004A76B0605040B8423F0010603BEAF848C82987166333138352E312E783232372E31008D908919802B3338303530333131363137322F545950453D504C4D4E0096416D67008A808E0202C888058103093A0B83687474703A2F2F696E7465726D6D732E6D74732E636F6D2E756100
^Z

To send this just connect with minicom to GPRS modem tty (rfcomm0 in my case).

The original MMS notifying SMS I've got from mbuni (open source MMSC) and then modified it for my needs. The correct content-location link I've got using GC89
Sony-Ericsson GPRS modem. My Samsung mobile does not show the full URL, but dump GC89 does when he receives MMS notification.

Using this techniques and with some conditions you can manage at least several attacks against MMSC and its users:

1. Condition: No checks for downloading number. Means that knowing the link any user can download MMS message.

• Attack: Send custom MMS to yourself. Get content-location link from SMS. Send sms notification with fake originator and content-location of your MMS. Affected user gets your MMS from fake number.
• Attack: Send custom MMS to yourself. Get content-location link. Send sms notifications to all of your friends. Now you're sending MMS by the price of SMS.

2. Condition: MMS APN and MMS proxy are the same as WAP APN and WAP proxy.
   

• Attack: You can get information about customers phone by sending SMS notification with link which directs to your server.
• Attack: You can force user to get MMS which was not converted by MMS center which usually removes malicious parts of MMS.

All attacks from condition 1 is possible with condition 2.

I have an open question, which probably somebody can answer for me: how to force MMSC to not convert you MMS message.

Other sources of information:

1. http://www.forum.nokia.com. Nokia has a good development library for MMS
   
2. http://developer.openwave.com. Open Mobile Alliance provides its MMS SDK as well
3. http://www.nowsms.com. The provide their SMS&MMS gateway which can work with gprs modem or phone. Free trial for 60 days (have not tried :)
   
4. http://www.hellkvist.org/software. Provides set of php scripts which can act as primitive MMSC
5. Mbuni - this claims to be an open source MMSC, but I did not find how to make it work as MM1 client.
6. http://gpaharenko.googlecode.com/files/gsm.tar.gz Configuration files of Kannel, mbuni for article.